Frank, >From the agents log I see the following: 009/08/27 12:02:36 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: 'x.x.x.x'.
>From the server log I see the following: 2009/08/27 12:08:06 ossec-remoted(1403): ERROR: Incorrectly formated message from 'x.x.x.x'. I also used netcat between the two servers to make sure they can communicate with each other using UDP 1514, each host was able to do so. I've been tailing the server log file for a while now and it looks like all of the agents that are not showing up are getting the "incorrectly formatted message". Does this error have to do with the keys? Thanks, Chris On Wed, Aug 26, 2009 at 2:01 PM, nine 13 tech <[email protected]> wrote: > > Chris, > Have you checked the logs on the clients. there you might see > something similar to: > [WARN]trying to connect to <ip of OSSEC server> > It has been my experience that there are just a few reasons why these > agents will not connect. > 1. the registed ip of the agent is not the IP that the server sees. to > find this - initiate a session or error that would log on the server > in /var/log/messages etc. or if there is the internet between the > client and server hit whatsmyip.org to verify. > 2. a firewall is blocking (you've already checked) > 3. the key was garbled - you will see errors in /var/ossec/logs/ > ossec.log > 4. the agent is not started on the client (opps did that once) > > If you can can you please post the client logs from one of the non > connecting machines (please remember to obfuscate IP addresses) > Frank Moss > nine 13 tech > > On Aug 25, 1:28 pm, Chris Henderson <[email protected]> wrote: > > Hey All, > > > > In recent weeks I have added and removed several OSSEC agents and I > > just noticed that none of the new agents are showing up in the OSSEC- > > WUI under "Available Agents", and I'm not receiving notifications or > > any alerts for the new hosts. If I run list_agents -a or -c it lists > > the agents that currently show up in the WUI which total 12 servers. > > If I do manage_agents and and list the servers there are over 40 > > servers listed. I've set the agents up and extracted the keys, I've > > also made sure the agents can get to the OSSEC server, as well as > > making sure iptables isn't blocking the agent and server. I have even > > restarted the OSSEC server. Any suggestions on why none of the new > > hosts are being monitored? > > > > Thanks, > > > > Chris >
